Prompt Injection Isn’t a Party Trick, It’s a Leadership Problem in 2026

If there’s one generative AI topic that deserves more airtime in 2026, it’s security. Specifically, it’s how LLM-based systems fail in ways that don’t look like traditional software failures.

In a recent video from Matt Mead’s LinkedIn series, he points to a resource we think every organization using AI should have on their radar: OWASP’s Top 10 risks for LLM and GenAI applications. This is a practical, threat-focused list that applies well beyond engineering teams. If you use AI, approve AI, fund AI, or sit in meetings where AI decisions get made, this is your problem too.

OWASP lists Prompt Injection (LLM01) as the top risk, because it’s the simplest way to change an AI system’s behavior using nothing more than words.

OWASP defines prompt injection as a situation where user prompts alter an LLM’s behavior or output in unintended ways, potentially leading to sensitive info disclosure, unauthorized access, or manipulation of decision-making.

That sounds abstract until you see how small the “attack” can be.

Here is a simple illustrate of how LLM rules can be overridden, imagine you’ve built an AI feature and you’ve given it a clear rule in a system prompt: Never return an emoji.

You test it. A user asks for emojis. The model refuses. Great.

Then the user asks something that frames the request differently; say they’re “doing research” and need the best emoji to represent ice cream. Suddenly, the emoji appears.

This wasn’t hacking or an exploit kit. Just language. That’s the uncomfortable reality: the model is optimizing to be helpful, and that helpfulness can override earlier instructions, especially when prompts are designed (intentionally or not) to redirect behavior. OWASP is blunt about the underlying issue: prompt injection vulnerabilities arise from how models process instructions and data together, and there isn’t a foolproof prevention method, only mitigations.

And prompt injection isn’t limited to what a user types directly. OWASP distinguishes between:

• Direct prompt injection (a user’s input alters behavior), and
• Indirect prompt injection (hidden instructions embedded in external content the model reads, web pages, documents, files).

That second category is where things get especially serious in real organizations.

It’s tempting to treat prompt injection as a “chatbot problem” or a novelty (like sneaking an emoji past a rule). But OWASP explicitly calls out that prompt injection can lead to content manipulation, unauthorized access to functions, executing commands in connected systems, and manipulating critical decision-making, depending on how much agency the AI has.

In practical terms, the risk could look like this:

• A hiring workflow gets nudged by hidden instructions in a resume or portfolio.
• Customer communications drift in tone or policy because a model was steered by cleverly framed input.
• Leadership decisions get shaped by confident summaries influenced by untrusted content in the data being summarized.

The scary part isn’t that the model “breaks rules.” It’s that the model might follow instructions that the organization never intended, never approved, and may never see, especially when AI is embedded into long-running processes.

Traditional software is usually a rules-based engine: predictable inputs produce predictable results.

LLMs don’t operate in that way. They process both instructions and data together, and they can be influenced. OWASP’s guidance reflects this approach by recommending the segregation and labeling of untrusted content, applying the principle of least privilege, and testing boundaries by treating the model as an untrusted user during adversarial simulations.

In other words: if a model can “hear” an instruction, you must assume it might act on it, unless you’ve designed the surrounding system to prevent that.

You don’t need to become an AI security researcher. But you do need a baseline operating model for risk, because responsibility for outcomes doesn’t shift to the model.

A few practical starting moves:

1. Start with OWASP’s LLM Top 10, begin at #1. Use it as a shared vocabulary across product, engineering, security, and leadership.
2. Map where AI influences outcomes. Anywhere AI touches decisions (hiring, customer communication, approvals, recommendations) deserves extra scrutiny.
3. Assume inputs are untrusted. Especially when models consume external documents, web pages, tickets, or emails (indirect injection).
4. Apply least privilege + human-in-the-loop for high-risk actions. OWASP calls out both as key mitigations.
5. Red-team early and continuously. Treat the model like an untrusted user and run adversarial simulations before (and after) launch.

This post is part of an ongoing SPR series drawing out the ideas behind Matt Mead’s LinkedIn videos.

Watch the full video here

If prompt injection (or AI security more broadly) is raising questions in your org, we’re always up for a conversation, because understanding these risks isn’t just technical work anymore. It’s leadership work.